In a recent InternetRetailing webinar, Maintaining availability while under attack – How Whitbread and Costa mitigate Distributed Denial of Service (DDOS), Paul Draper, solutions architect at Whitbread, joined Jay Coley, senior director, security planning and strategy at Akamai Technologies for a conversation around how Whitbread ensures that its websites are always available. Here’s a bullet point overview of the discussion.
Paul Draper opened the webinar with an introduction to Whitbread, now in its 275th anniversary year. Today the group includes restaurants including Beefeater and Brewers Fayre, Premier Inn, Costa Coffee and Costa Express machines.
• What is a distributed denial of service attack? – and the importance of defending ecommerce sites from malicious attackers while ensuring they remain available to legitimate users.
“There’s no such thing as 100% mitigation – you have to take a risk-based approach.” Important to take a risk-based approach: all systems exposed internally are vulnerable to DDOS attacks, but there is technology that you can implement.
• Akamai’s Jay Coley explained how in February Akamai defended against the largest recorded DDOS attack, by GitHub. He talked through what happened, and how Akamai successfully mitigated it.
Why should I care?
• Bottom line: if online service offline for one, three or 24 hours how would it affect you?
• Customers divert to competitor. Should look to mitigate them on a risk basis.
• DDOS attacks 14% up 2017, cf 2016 (Akamai’s State of the Internet Report)
• Security in retail varies, retailers hold personal customer details.
Is it going to happen to me?
“We’d say it’s not if but when,” with large brands more likely to be a target.
Attack vector 1: infrastructure
Draper and Coley talked through protecting infrastructure, and how Costa/Whitbread block attacks.
Attack vector 2: bots
• Over 2 trillion requests from bots in November
• Can see how humans interact with websites vs bots to determine if this is a bot that needs to be treated as such or a human that needs to be allowed to enter data.
• Why is retail susceptible to being attacked by bots? Draper: “Retail is attractive to attackers because it has the data they’re looking for.” Websites run by FTSE 100 plcs – and by your next door neighbour, with different levels of security.
Internet of Things (IoT)
- Mirai Botnet:first came onto the scene in 2016, and seen from time to time since then. Based on IoT devices, that can be shipped with little or no security features. “Once they’re plugged into the internet, malicious actors can use them at will,” Jay Coley.
- Denial of service may run as a distraction, alongside a bot attack to gain data. Large and complex botnet: should expect to see more of these as more IoT devices come onto the market.
- Retail is a target here. Likely to see surges in attacks as username and password lists taken in previous breaches are uploaded to the dark web.
- 1.02bn credential attacks in November 2017
• Only 13% of attacks come from the UK: but if all business is in the UK, then can drop international traffic from different markets.
High level reference architecture: DDOS mitigation: WITH CHART
• People and processes are key: not all about technology
• How traffic is monitored by teams in different parts of the world, and how the Whitbread team is organised.
• Impossible to remove 100% of risk
• Pragmatic approach (cost vs benefit)
• Origin platforms should be robust to absorb attack traffic
• Work on reviewing WAF tuning reports: platform only as secure as configuration and attacks constantly evolving.
• Move to deny mode as early as practically possible
• Look to have DNS DDoS (Fast DNS) mitigation
• Full access to the Akamai Edge API to automat and integrate into DevOps cycle.
• Importance of prioritising and protecting pain points.
• Will it happen to you: not a question of if but when.
• GDPR important – mitigation helps towards compliance
• Invest in business change and security internally
The webinar then moved into a Q&A session. Click here to listen to the webinar in full, and to hear the conversation and the Q&A session in more detail.